It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet
access?”
[Ian Sacklow co-wrote this white paper]
At
many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).
Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.
In
the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.
As
we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.
Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.
The
article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense.
When
it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.
It
is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.
The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”
The
proposed standard also includes a written security policy covering:
-
WAPs in the office
-
WAPs at the homes of those with remote-access authorization to the
firm’s local area network
-
Computers which contain client data and access publicly-accessible
WAPs (at coffee bars, airports, Bar Association Libraries, airports,
etc.)
Wi-Fi: An Indispensable Tool
-
Wi-Fi is everywhere, and it’s no fad.
There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.
At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.
Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.
WAP Overview
-
The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.
Components
comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 300
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.
Most
people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the
Internet.
Some
people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.
For
reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.
VPNs are the number one thing people should be doing. A VPN lets trusted users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.
The
proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.
Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).
What’s
Your Responsibility?
-
Connecting an Open WAP to your firm’s LAN is literally as unsafe
as placing your client files in an unlocked file cabinet in the
center of a city street.
Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”
An
Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”
The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”
An
irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and
secrets.
Protecting
the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.
Criminal Liability of Accessing a ‘Public’ Hotspot
-
You
cannot rely on existing laws to prosecute “unauthorized” WAP
access. It is difficult to determine how a user becomes authorized
to access a WAP, and there’s no common mechanism by which to post a
notice that he is not.
In
early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.
He
might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?
Under
current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer
system.”.
The
New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either
(i)
give actual notice in writing or orally to the user;
(ii)
prominently post written notice adjacent to the computer being
utilized; or
(iii)
a notice that is displayed on, printed out on or announced by the
computer being utilized by the user.
Significantly,
the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”
Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.
“I
am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is
intended.”
“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”
“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”
Oops. Was That Your WAP?
<li><p>
<strong>If
a mobile device automatically seeks and connects to a WAP, then
accessing an Open WAP needn't even be intentional. </strong>
</li>
Most
new notebook computers ship with the Microsoft Windows XP or
Macintosh OSX operating systems, and are equipped with internal
wireless adapters (see sidebar). If the wireless adapter is switched
on, the notebook will seek, and attempt to connect with, WAPs – even
before the screen comes to life.
People set their notebooks to connect to any available network, so
the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.
And New York Penal Law Section 156.50 provides a defense for persons who
had reasonable grounds to believe that they had authorization to use
the computer. Therefore, unfortunately, the issue will likely be left
for the Courts to decide whether such a presumption exists and is
applicable in any given case.
Attorneys
and the public must properly frame these issues and arguments, so
that the Courts can properly interpret and apply the law.
Determine
Your Needs
<li>
<strong>You can protect your LAN while providing public access to your
WAP and the Internet - so long as you configure your WAP properly</strong></li>
Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
to afford anyone in the area free access to the Internet. By giving
pedestrians a good reason to mill about, this is a fine goodwill
gesture towards local businesses at low cost.
That’s
a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
access your LAN from the Hotspot. They placed the Hotspot outside
their firm’s firewall, thereby providing a public service at little
risk to their own network.
It’s
important that you, too, determine what you want your WAP to do, and
deploy it properly.
Don’t Panic … But Set A Policy
<li>
<strong>A clearly communicated and strongly enforced written policy
governing remote network access is essential. </strong>
</li>
A
written wireless data security policy is vital in any environment; in
a law firm, the lack of one could be expensive, embarrassing and
time-consuming. It could create civil liability – and even criminal
liability (see sidebar) – for the firm.
All
people in the firm must be made aware of the policy, not matter their
position: it does you no good to take steps to increase security if
your receptionist or even a junior associate tells a caller
information about your WAP and network. This happens far more often
than you’d think. Specifics on what the policy should cover are
listed below, within the proposed standard.
Everybody’s Not Doing It
<li>
If you haven't
locked down your firm's WAP, you're not alone. This problem is
widespread and international.</strong>
</li>
In March, 2005, data
protection company RSA Security reported that a survey it
commissioned from netSurity found more than one third of wireless
business networks in four major cities were unsecured – 38% of
businesses in New York, 35% in San Francisco, 36% in London and 34%
in Frankfurt.
Those numbers are about
right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.
From Elite Geeks to An Unruly Mob
<li>
One no longer
needs to be a gifted programmer to be a successful intruder.</strong></li>
Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
(see sidebar), and attorneys must never entrust WEP – no
matter how large the bit-size – to be the sole means of protecting
a LAN.
The popular image of a “Hacker,” as a young, pale-skinned
male perched behind a complex computer using arcane tools to
penetrate computer systems is dated.
Hacking, password- and encryption-breaking tools have become
ubiquitous, sophisticated, simple to use and are totally free to
download from the Internet.
PROPOSED
STANDARD
A
determined intruder with the right tools will get in no matter what
you do – nothing offers 100% security or guarantees, but you
should employ the best security you can install and maintain without
unreasonably disrupting productivity. Take all reasonable steps to
secure client information on your LAN with a well-configured
firewall.
If
you merely wish to allow Trusted users wireless Internet access,
securing your WAP can likely be done by Dan – that geeky intern who
likes Star Trek. It can take as little as 15 minutes, and can
cost nothing: if you’ve got a WAP, you’ve almost certainly got the
hardware needed (and if you don’t, you can spend as little as $40 to
get it).
If
you wish to allow the WAP to also grant LAN access, and you don’t
have an IT person in-house, you might buy a combination VPN/WAP for
as little as $149 (see sidebar). Otherwise, you may need to hire an
outside consultant or installation specialist for a few hours’
consultation or work to set up the VPN.
Four Main Steps
Because
Linksys is the most popular WAP maker, examples below refer to
Linksys products; your WAP’s instruction manual contains specific
How-Tos and instructions to do all the following. All brands provide
similar steps and menus, and all use the same terminology.
STEP ONE: CHANGE THE DEFAULTS
The simplest solution for a range of common problems raised by WAPs is to
change the default information on the WAP itself. This is
accomplished by opening a web browser and surfing to the IP address
of the WAP device.
First go to the Setup Page:
<li>
Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
</li>
<li>
Change the last two fields in the WAP's Local IP address to
something other than what's there. Reasonable entries include
192.168.11.1 or 192.168.0.25.
</li>
Next,
go to the Wireless Basic Settings Page. The Service Set Identifier
(SSID) is the name of the wireless network your users will connect
to. By default it is set to “Linksys.”
<li>
Change the SSID to something non-descriptive - not your firm's
name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25.
</li>
<li>
Then, disable the SSID broadcast, so it won't be readily visible to
users who don't know that the WAP is there (though "war-drivers"
- people who drive around looking for Open WAPs - might see it.
Yes, there's a war-driving subculture).
</li>
STEP TWO: CHANGE THE ADMINISTRATIVE PASSWORD
A hacker, using the default username of (nothing) and the default
password of “admin” can take over your WAP and lock you out. In the Administration page:
<li>
Set a new, hard-to-guess administration password, using at least an
eight character string which is not a word found in a dictionary,
and which comprises upper and lower case letters and numbers.</li>
STEP
THREE: ENCRYPT THE SIGNAL
Use
the best encryption method you possibly can, preferably WPA2 (see
sidebar). If WPA2 is not available, then deploy, in descending order
of preferability, either WPA or WEP. If you absolutely must use
WEP, use 128-bit encryption – which takes a bit longer to crack
than weaker versions of WEP.
STEP FOUR: VPN INTO THE LAN
You absolutely, positively may not allow access to your LAN through the
WAP except with the use of a VPN.
Because
the VPN’s authentication is vastly more secure than Wi-Fi’s and
encrypts all data between the client (that’s your notebook computer
or PDA) and the LAN, it helps ensure that anyone gaining access to
the LAN is authorized.
Written Policy
Anyone who has been granted remote access to your LAN must abide by
the written remote access policy. This policy must cover the remote
users’ notebook computers, PDAs and other mobile data devices; their
home LAN and any home computers, and any other machines which they
may use to access the company LAN.
The policy must be clearly posted in the firm, and discussed with all
remote users and staff. It must explicitly set forth rules governing
what employees may tell outsiders about your computers, your network,
your WAP and your security policies. It must be regularly reviewed.
For a sample written policy, see http://www.nickselby.com/wifi
Protect Home WAPs
Anyone granted permission to access the LAN via VPN must apply all
four steps above to their home or other remote WAP. This not only
protects your LAN, it protects personal data they store on their home
machines.
Current OS Patches, Anti-Virus, Firewall & Spyware Blockers
Anyone accessing the LAN must ensure that their device is updated
with the most recent security patches for their Operating System.
All machines on the LAN must run current versions of anti-virus
software with regularly updated virus definitions. Note that new
viruses are introduced every hour; “regularly updated virus
definitions” means at a minimum of once each week. It could be
argued it is reasonable to update every 24 hours.
Any
device accessing from outside the LAN must be running a
properly-configured firewall program such as Zone Alarm or Computer
Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
unless you’re encrypting your email through a VPN, or an encryption
program such as PGP.
Always
assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
you care about – such as email or confidential files – is encrypted
across a tunnel.
Call
For Discussion
As when you access a Hotspot, you’re always looking for the balance
between ease of access and loss of security. The best we can do
is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.
As I mentioned earlier, this is all very new. The proposed standard
is a first step towards reducing the likelihood that your LAN will be
compromised, or your Internet connection abused. In order to further
this recommendation and develop a final specification, I welcome your
comments.
Ian Sacklow, the founder of the Capital District Linux Users Group and
Information Systems Manager for Dodge Chamberlain Luzine Weber
Associates, an architectural firm with offices in East Greenbush,
Plattsburgh and Jericho, New York, co-authoried this white paper.
Members
of the Capital District Linux Users Group contributed technical
information and fact checking for this article.
Also in this series…
A proposal for Reasonable Wireless Security for law firms
A sample network access policy
Wifi encryption standards
“There’s nothing on my desk worth stealing”
…and free hotspots for all